search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Run DCE after a LoopFlatten test to reduce spurious output [nfc]
[llvm-project.git] / clang / test / Analysis / taint-generic.c
blobc6a01594f15abb74160791d3699d709c3e08eead
1 // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
2 // RUN: -Wno-incompatible-library-redeclaration -verify %s \
3 // RUN: -analyzer-checker=alpha.security.taint \
4 // RUN: -analyzer-checker=core \
5 // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
6 // RUN: -analyzer-checker=debug.ExprInspection \
7 // RUN: -analyzer-config \
8 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
9
10 // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
11 // RUN: -Wno-incompatible-library-redeclaration -verify %s \
12 // RUN: -DFILE_IS_STRUCT \
13 // RUN: -analyzer-checker=alpha.security.taint \
14 // RUN: -analyzer-checker=core \
15 // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
16 // RUN: -analyzer-checker=debug.ExprInspection \
17 // RUN: -analyzer-config \
18 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
19
20 // RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast \
21 // RUN: -Wno-incompatible-library-redeclaration -verify %s \
22 // RUN: -analyzer-checker=alpha.security.taint \
23 // RUN: -analyzer-checker=debug.ExprInspection \
24 // RUN: -analyzer-config \
25 // RUN: alpha.security.taint.TaintPropagation:Config=justguessit \
26 // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE
27
28 // CHECK-INVALID-FILE: (frontend): invalid input for checker option
29 // CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config',
30 // CHECK-INVALID-FILE-SAME: that expects a valid filename instead of
31 // CHECK-INVALID-FILE-SAME: 'justguessit'
32
33 // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
34 // RUN: -verify %s \
35 // RUN: -analyzer-checker=alpha.security.taint \
36 // RUN: -analyzer-checker=debug.ExprInspection \
37 // RUN: -analyzer-config \
38 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \
39 // RUN: 2>&1 | FileCheck -DMSG=%errc_EINVAL %s -check-prefix=CHECK-ILL-FORMED
40
41 // CHECK-ILL-FORMED: (frontend): invalid input for checker option
42 // CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config',
43 // CHECK-ILL-FORMED-SAME: that expects a valid yaml file: [[MSG]]
44
45 // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
46 // RUN: -verify %s \
47 // RUN: -analyzer-checker=alpha.security.taint \
48 // RUN: -analyzer-checker=debug.ExprInspection \
49 // RUN: -analyzer-config \
50 // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \
51 // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG
52
53 // CHECK-INVALID-ARG: (frontend): invalid input for checker option
54 // CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config',
55 // CHECK-INVALID-ARG-SAME: that expects an argument number for propagation
56 // CHECK-INVALID-ARG-SAME: rules greater or equal to -1
57
58 typedef long long rsize_t;
59 typedef __typeof(sizeof(int)) size_t;
60 typedef signed long long ssize_t;
61 typedef __WCHAR_TYPE__ wchar_t;
62 void clang_analyzer_isTainted_char(char);
63 void clang_analyzer_isTainted_wchar(wchar_t);
64 void clang_analyzer_isTainted_charp(char*);
65 void clang_analyzer_isTainted_int(int);
66
67 int coin();
68
69 int scanf(const char *restrict format, ...);
70 char *gets(char *str);
71 char *gets_s(char *str, rsize_t n);
72 int getchar(void);
73
74 typedef struct _FILE FILE;
75 #ifdef FILE_IS_STRUCT
76 extern struct _FILE *stdin;
77 #else
78 extern FILE *stdin;
79 #endif
80
81 #define bool _Bool
82 #define NULL (void*)0
83
84 wchar_t *fgetws(wchar_t *ws, int n, FILE *stream);
85 wchar_t *wmemset(wchar_t *wcs, wchar_t wc, unsigned long n);
86 wchar_t *wmemcpy(wchar_t *dest, const wchar_t *src, size_t n);
87 wchar_t *wmemmove(wchar_t *dest, const wchar_t *src, size_t n);
88 size_t wcslen(const wchar_t *s);
89 wchar_t *wcscpy(wchar_t * dest, const wchar_t * src);
90 wchar_t *wcsncpy(wchar_t *dest, const wchar_t *src, size_t n);
91 wchar_t *wcscat(wchar_t *dest, const wchar_t *src);
92 wchar_t *wcsncat(wchar_t *dest,const wchar_t *src, size_t n);
93 int swprintf(wchar_t *wcs, size_t maxlen, const wchar_t *format, ...);
94
95 char *getenv(const char *name);
96
97 FILE *fopen(const char *name, const char *mode);
98
99 int fscanf(FILE *restrict stream, const char *restrict format, ...);
100 int sprintf(char *str, const char *format, ...);
101 void setproctitle(const char *fmt, ...);
102 void setproctitle_init(int argc, char *argv[], char *envp[]);
103
104 // Define string functions. Use builtin for some of them. They all default to
105 // the processing in the taint checker.
106 #define strcpy(dest, src) \
107 ((__builtin_object_size(dest, 0) != -1ULL) \
108 ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \
109 : __inline_strcpy_chk(dest, src))
110
111 static char *__inline_strcpy_chk (char *dest, const char *src) {
112 return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1));
113 }
114 char *stpcpy(char *restrict s1, const char *restrict s2);
115 char *strncpy( char * destination, const char * source, size_t num );
116 char *strndup(const char *s, size_t n);
117 char *strncat(char *restrict s1, const char *restrict s2, size_t n);
118
119 void *malloc(size_t);
120 void *calloc(size_t nmemb, size_t size);
121 void bcopy(void *s1, void *s2, size_t n);
122
123
124 // function | pathname | filename | fd | arglist | argv[] | envp[]
125 // ===============================================================
126 // 1 execl | X | | | X | |
127 // 2 execle | X | | | X | | X
128 // 3 execlp | | X | | X | |
129 // 4 execv | X | | | | X |
130 // 5 execve | X | | | | X | X
131 // 6 execvp | | X | | | X |
132 // 7 execvpe | | X | | | X | X
133 // 8 fexecve | | | X | | X | X
134 // ===============================================================
135 // letter | | p | f | l | v | e
136 //
137 // legend:
138 // - pathname: rel/abs path to the binary
139 // - filename: file name searched in PATH to execute the binary
140 // - fd: accepts a file descriptor
141 // - arglist: accepts variadic arguments
142 // - argv: accepts a pointer to array, denoting the new argv
143 // - envp: accepts a pointer to array, denoting the new envp
144
145 int execl(const char *path, const char *arg, ...);
146 int execle(const char *path, const char *arg, ...);
147 int execlp(const char *file, const char *arg, ...);
148 int execv(const char *path, char *const argv[]);
149 int execve(const char *path, char *const argv[], char *const envp[]);
150 int execvp(const char *file, char *const argv[]);
151 int execvpe(const char *file, char *const argv[], char *const envp[]);
152 int fexecve(int fd, char *const argv[], char *const envp[]);
153 FILE *popen(const char *command, const char *type);
154 int pclose(FILE *stream);
155 int system(const char *command);
156
157
158 typedef size_t socklen_t;
159
160 struct sockaddr {
161 unsigned short sa_family;
162 char sa_data[14];
163 };
164
165 #define BUFSIZE 10
166
167 int Buffer[BUFSIZE];
168 void bufferScanfDirect(void)
169 {
170 int n;
171 scanf("%d", &n);
172 Buffer[n] = 1; // expected-warning {{Out of bound memory access }}
173 }
174
175 void bufferScanfArithmetic1(int x) {
176 int n;
177 scanf("%d", &n);
178 int m = (n - 3);
179 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
180 }
181
182 void bufferScanfArithmetic2(int x) {
183 int n;
184 scanf("%d", &n);
185 int m = 100 - (n + 3) * x;
186 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
187 }
188
189 void bufferScanfAssignment(int x) {
190 int n;
191 scanf("%d", &n);
192 int m;
193 if (x > 0) {
194 m = n;
195 Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
196 }
197 }
198
199 void scanfArg(void) {
200 int t = 0;
201 scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}}
202 }
203
204 void bufferGetchar(int x) {
205 int m = getchar();
206 Buffer[m] = 1; //expected-warning {{Out of bound memory access (index is tainted)}}
207 }
208
209 extern const unsigned short int **__ctype_b_loc (void);
210 enum { _ISdigit = 2048 };
211 # define isdigit(c) ((*__ctype_b_loc ())[(int) (c)] & (unsigned short int) _ISdigit)
212
213 int isdigitImplFalsePositive(void) {
214 // If this code no longer produces a bug report, then consider removing the
215 // special case that disables buffer overflow reports coming from the isXXXXX
216 // macros in ctypes.h.
217 int c = getchar();
218 return ((*__ctype_b_loc ())[(int) (c)] & (unsigned short int) _ISdigit);
219 //expected-warning@-1 {{Out of bound memory access (index is tainted)}}
220 }
221
222 int isdigitSuppressed(void) {
223 // Same code as above, but reports are suppressed based on macro name:
224 int c = getchar();
225 return isdigit(c); //no-warning
226 }
227
228 // Some later tests use isdigit as a function, so we need to undef it:
229 #undef isdigit
230
231 void testUncontrolledFormatString(char **p) {
232 char s[80];
233 fscanf(stdin, "%s", s);
234 char buf[128];
235 sprintf(buf,s); // expected-warning {{Uncontrolled Format String}}
236 setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}}
237
238 // Test taint propagation through strcpy and family.
239 char scpy[80];
240 strcpy(scpy, s);
241 sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}}
242
243 stpcpy(*(++p), s); // this generates __inline.
244 setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}}
245
246 char spcpy[80];
247 stpcpy(spcpy, s);
248 setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}}
249
250 char *spcpyret;
251 spcpyret = stpcpy(spcpy, s);
252 setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}}
253
254 char sncpy[80];
255 strncpy(sncpy, s, 20);
256 setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}}
257
258 char *dup;
259 dup = strndup(s, 20);
260 setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}}
261
262 }
263
264 void testTaintSystemCall(void) {
265 char buffer[156];
266 char addr[128];
267 scanf("%s", addr);
268 system(addr); // expected-warning {{Untrusted data is passed to a system call}}
269
270 // Test that spintf transfers taint.
271 sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
272 system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
273 }
274
275 void testTaintSystemCall2(void) {
276 // Test that snpintf transfers taint.
277 char buffern[156];
278 char addr[128];
279 scanf("%s", addr);
280 __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
281 // expected-warning@-1 {{'snprintf' will always be truncated; specified size is 10, but format string expands to at least 24}}
282 system(buffern); // expected-warning {{Untrusted data is passed to a system call}}
283 }
284
285 void testTaintSystemCall3(void) {
286 char buffern2[156];
287 int numt;
288 char addr[128];
289 scanf("%s %d", addr, &numt);
290 __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
291 system(buffern2); // expected-warning {{Untrusted data is passed to a system call}}
292 }
293
294 void testGets(void) {
295 char str[50];
296 gets(str);
297 system(str); // expected-warning {{Untrusted data is passed to a system call}}
298 }
299
300 void testGets_s(void) {
301 char str[50];
302 gets_s(str, 49);
303 system(str); // expected-warning {{Untrusted data is passed to a system call}}
304 }
305
306 void testTaintedBufferSize(void) {
307 size_t ts;
308 scanf("%zd", &ts);
309
310 int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Untrusted data is used to specify the buffer size}}
311 char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Untrusted data is used to specify the buffer size}}
312 bcopy(buf1, dst, ts); // expected-warning {{Untrusted data is used to specify the buffer size}}
313 __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
314
315 // If both buffers are trusted, do not issue a warning.
316 char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Untrusted data is used to specify the buffer size}}
317 strncat(dst2, dst, ts); // no-warning
318 }
319
320 #define AF_UNIX 1 /* local to host (pipes) */
321 #define AF_INET 2 /* internetwork: UDP, TCP, etc. */
322 #define AF_LOCAL AF_UNIX /* backward compatibility */
323 #define SOCK_STREAM 1
324 int socket(int, int, int);
325 size_t read(int, void *, size_t);
326
327 void testSocket(void) {
328 int sock;
329 char buffer[100];
330
331 sock = socket(AF_INET, SOCK_STREAM, 0);
332 read(sock, buffer, 100);
333 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
334
335 sock = socket(AF_LOCAL, SOCK_STREAM, 0);
336 read(sock, buffer, 100);
337 execl(buffer, "filename", 0); // no-warning
338
339 sock = socket(AF_INET, SOCK_STREAM, 0);
340 // References to both buffer and &buffer as an argument should taint the argument
341 read(sock, &buffer, 100);
342 execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}}
343 }
344
345 void testStruct(void) {
346 struct {
347 char buf[16];
348 int length;
349 } tainted;
350
351 char buffer[16];
352 int sock;
353
354 sock = socket(AF_INET, SOCK_STREAM, 0);
355 read(sock, &tainted, sizeof(tainted));
356 __builtin_memcpy(buffer, tainted.buf, tainted.length); // expected-warning {{Untrusted data is used to specify the buffer size}}
357 }
358
359 void testStructArray(void) {
360 struct {
361 int length;
362 } tainted[4];
363
364 char dstbuf[16], srcbuf[16];
365 int sock;
366
367 sock = socket(AF_INET, SOCK_STREAM, 0);
368 __builtin_memset(srcbuf, 0, sizeof(srcbuf));
369
370 read(sock, &tainted[0], sizeof(tainted));
371 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
372
373 __builtin_memset(&tainted, 0, sizeof(tainted));
374 read(sock, &tainted, sizeof(tainted));
375 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // expected-warning {{Untrusted data is used to specify the buffer size}}
376
377 __builtin_memset(&tainted, 0, sizeof(tainted));
378 // If we taint element 1, we should not raise an alert on taint for element 0 or element 2
379 read(sock, &tainted[1], sizeof(tainted));
380 __builtin_memcpy(dstbuf, srcbuf, tainted[0].length); // no-warning
381 __builtin_memcpy(dstbuf, srcbuf, tainted[2].length); // no-warning
382 }
383
384 void testUnion(void) {
385 union {
386 int x;
387 char y[4];
388 } tainted;
389
390 char buffer[4];
391
392 int sock = socket(AF_INET, SOCK_STREAM, 0);
393 read(sock, &tainted.y, sizeof(tainted.y));
394 // FIXME: overlapping regions aren't detected by isTainted yet
395 __builtin_memcpy(buffer, tainted.y, tainted.x);
396 }
397
398 int testDivByZero(void) {
399 int x;
400 scanf("%d", &x);
401 return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
402 }
403
404 // Zero-sized VLAs.
405 void testTaintedVLASize(void) {
406 int x;
407 scanf("%d", &x);
408 int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
409 }
410
411 int testTaintedAllocaMem() {
412 char x;
413 void * p;
414 scanf("%c", &x);
415 p = __builtin_alloca(1);
416 __builtin_memcpy(p, &x, 1);
417 return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
418 }
419
420 int testTaintedMallocMem() {
421 char x;
422 void * p;
423 scanf("%c", &x);
424 p = malloc(1);
425 __builtin_memcpy(p, &x, 1);
426 return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
427 }
428
429
430 // This computation used to take a very long time.
431 #define longcmp(a,b,c) { \
432 a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \
433 a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; }
434
435 unsigned radar11369570_hanging(const unsigned char *arr, int l) {
436 unsigned a, b, c;
437 a = b = c = 0x9899e3 + l;
438 while (l >= 6) {
439 unsigned t;
440 scanf("%d", &t);
441 a += b;
442 a ^= a;
443 a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24));
444 longcmp(a, t, c);
445 l -= 12;
446 }
447 return 5/a; // expected-warning {{Division by a tainted value, possibly zero}}
448 }
449
450 // Check that we do not assert of the following code.
451 int SymSymExprWithDiffTypes(void* p) {
452 int i;
453 scanf("%d", &i);
454 int j = (i % (int)(long)p);
455 return 5/j; // expected-warning {{Division by a tainted value, possibly zero}}
456 }
457
458
459 void constraintManagerShouldTreatAsOpaque(int rhs) {
460 int i;
461 scanf("%d", &i);
462 // This comparison used to hit an assertion in the constraint manager,
463 // which didn't handle NonLoc sym-sym comparisons.
464 if (i < rhs)
465 return;
466 if (i < rhs)
467 *(volatile int *) 0; // no-warning
468 }
469
470 int testSprintf_is_not_a_source(char *buf, char *msg) {
471 int x = sprintf(buf, "%s", msg); // no-warning
472 return 1 / x; // no-warning: 'sprintf' is not a taint source
473 }
474
475 int testSprintf_propagates_taint(char *buf, char *msg) {
476 scanf("%s", msg);
477 int x = sprintf(buf, "%s", msg); // propagate taint!
478 return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}}
479 }
480
481 void test_wchar_apis_dont_propagate(const char *path) {
482 // strlen, wcslen, strnlen and alike intentionally don't propagate taint.
483 // See the details here: https://github.com/llvm/llvm-project/pull/66086
484 // This isn't ideal, but this is only what we have now.
485
486 FILE *f = fopen(path, "r");
487 clang_analyzer_isTainted_charp((char*)f); // expected-warning {{YES}}
488 wchar_t wbuf[10];
489 fgetws(wbuf, sizeof(wbuf)/sizeof(*wbuf), f);
490 clang_analyzer_isTainted_wchar(*wbuf); // expected-warning {{YES}}
491 int n = wcslen(wbuf);
492 clang_analyzer_isTainted_int(n); // expected-warning {{NO}}
493
494 wchar_t dst[100] = L"ABC";
495 clang_analyzer_isTainted_wchar(*dst); // expected-warning {{NO}}
496 wcsncat(dst, wbuf, sizeof(wbuf)/sizeof(*wbuf));
497 clang_analyzer_isTainted_wchar(*dst); // expected-warning {{YES}}
498
499 int m = wcslen(dst);
500 clang_analyzer_isTainted_int(m); // expected-warning {{NO}}
501 }
502
503 int scanf_s(const char *format, ...);
504 int testScanf_s_(int *out) {
505 scanf_s("%d", out);
506 return 1 / *out; // expected-warning {{Division by a tainted value, possibly zero}}
507 }
508
509 #define _IO_FILE FILE
510 int _IO_getc(_IO_FILE *__fp);
511 int testUnderscoreIO_getc(_IO_FILE *fp) {
512 char c = _IO_getc(fp);
513 return 1 / c; // expected-warning {{Division by a tainted value, possibly zero}}
514 }
515
516 char *getcwd(char *buf, size_t size);
517 int testGetcwd(char *buf, size_t size) {
518 char *c = getcwd(buf, size);
519 return system(c); // expected-warning {{Untrusted data is passed to a system call}}
520 }
521
522 char *getwd(char *buf);
523 int testGetwd(char *buf) {
524 char *c = getwd(buf);
525 return system(c); // expected-warning {{Untrusted data is passed to a system call}}
526 }
527
528 ssize_t readlink(const char *path, char *buf, size_t bufsiz);
529 int testReadlink(char *path, char *buf, size_t bufsiz) {
530 ssize_t s = readlink(path, buf, bufsiz);
531 system(buf); // expected-warning {{Untrusted data is passed to a system call}}
532 // readlink never returns 0
533 return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}}
534 }
535
536 ssize_t readlinkat(int dirfd, const char *pathname, char *buf, size_t bufsiz);
537 int testReadlinkat(int dirfd, char *path, char *buf, size_t bufsiz) {
538 ssize_t s = readlinkat(dirfd, path, buf, bufsiz);
539 system(buf); // expected-warning {{Untrusted data is passed to a system call}}
540 (void)(1 / dirfd); // arg 0 is not tainted
541 system(path); // arg 1 is not tainted
542 (void)(1 / bufsiz); // arg 3 is not tainted
543 // readlinkat never returns 0
544 return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}}
545 }
546
547 char *get_current_dir_name(void);
548 int testGet_current_dir_name() {
549 char *d = get_current_dir_name();
550 return system(d); // expected-warning {{Untrusted data is passed to a system call}}
551 }
552
553 int gethostname(char *name, size_t len);
554 int testGethostname(char *name, size_t len) {
555 gethostname(name, len);
556 return system(name); // expected-warning {{Untrusted data is passed to a system call}}
557 }
558
559 int getnameinfo(const struct sockaddr *restrict addr, socklen_t addrlen,
560 char *restrict host, socklen_t hostlen,
561 char *restrict serv, socklen_t servlen, int flags);
562 int testGetnameinfo(const struct sockaddr *restrict addr, socklen_t addrlen,
563 char *restrict host, socklen_t hostlen,
564 char *restrict serv, socklen_t servlen, int flags) {
565 getnameinfo(addr, addrlen, host, hostlen, serv, servlen, flags);
566
567 system(host); // expected-warning {{Untrusted data is passed to a system call}}
568 return system(serv); // expected-warning {{Untrusted data is passed to a system call}}
569 }
570
571 int getseuserbyname(const char *linuxuser, char **selinuxuser, char **level);
572 int testGetseuserbyname(const char *linuxuser, char **selinuxuser, char **level) {
573 getseuserbyname(linuxuser, selinuxuser, level);
574 system(selinuxuser[0]); // expected-warning {{Untrusted data is passed to a system call}}
575 return system(level[0]); // expected-warning {{Untrusted data is passed to a system call}}
576 }
577
578 typedef int gid_t;
579 int getgroups(int size, gid_t list[]);
580 int testGetgroups(int size, gid_t list[], bool flag) {
581 int result = getgroups(size, list);
582 if (flag)
583 return 1 / list[0]; // expected-warning {{Division by a tainted value, possibly zero}}
584
585 return 1 / (result + 1); // expected-warning {{Division by a tainted value, possibly zero}}
586 }
587
588 char *getlogin(void);
589 int testGetlogin() {
590 char *n = getlogin();
591 return system(n); // expected-warning {{Untrusted data is passed to a system call}}
592 }
593
594 int getlogin_r(char *buf, size_t bufsize);
595 int testGetlogin_r(char *buf, size_t bufsize) {
596 getlogin_r(buf, bufsize);
597 return system(buf); // expected-warning {{Untrusted data is passed to a system call}}
598 }
599
600 int fscanf_s(FILE *stream, const char *format, ...);
601 void testFscanf_s(const char *fname, int *d) {
602 FILE *f = fopen(fname, "r");
603 fscanf_s(f, "%d", d);
604 clang_analyzer_isTainted_int(*d); // expected-warning {{YES}}
605 }
606
607 int fread(void *buffer, size_t size, size_t count, FILE *stream);
608 void testFread(const char *fname, int *buffer, size_t size, size_t count) {
609 FILE *f = fopen(fname, "r");
610 size_t read = fread(buffer, size, count, f);
611
612 clang_analyzer_isTainted_int(*buffer); // expected-warning {{YES}}
613 clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
614 }
615
616 ssize_t recv(int sockfd, void *buf, size_t len, int flags);
617 int accept(int fd, struct sockaddr *addr, socklen_t *addrlen);
618 int bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
619 int listen(int fd, int backlog);
620
621 void testRecv(int *buf, size_t len, int flags) {
622 int fd;
623 scanf("%d", &fd); // fake a tainted a file descriptor
624
625 size_t read = recv(fd, buf, len, flags);
626 clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}}
627 clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
628 }
629
630 ssize_t recvfrom(int sockfd, void *restrict buf, size_t len, int flags,
631 struct sockaddr *restrict src_addr,
632 socklen_t *restrict addrlen);
633 void testRecvfrom(int *restrict buf, size_t len, int flags,
634 struct sockaddr *restrict src_addr,
635 socklen_t *restrict addrlen) {
636 int fd;
637 scanf("%d", &fd); // fake a tainted a file descriptor
638
639 size_t read = recvfrom(fd, buf, len, flags, src_addr, addrlen);
640 clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}}
641 clang_analyzer_isTainted_int(read); // expected-warning {{YES}}
642 }
643
644 char *ttyname(int fd);
645 void testTtyname() {
646 int fd;
647 scanf("%d", &fd); // fake a tainted a file descriptor
648
649 char *name = ttyname(fd);
650 clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
651 }
652
653 int ttyname_r(int fd, char *buf, size_t buflen);
654 void testTtyname_r(char *buf, size_t buflen) {
655 int fd;
656 scanf("%d", &fd); // fake a tainted a file descriptor
657
658 int result = ttyname_r(fd, buf, buflen);
659 clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}}
660 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
661 }
662
663 char *dirname(char *path);
664 void testDirname() {
665 char buf[10];
666 scanf("%9s", buf);
667
668 char *name = dirname(buf);
669 clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
670 }
671
672 char *basename(char *path);
673 void testBasename() {
674 char buf[10];
675 scanf("%9s", buf);
676
677 char *name = basename(buf);
678 clang_analyzer_isTainted_charp(name); // expected-warning {{YES}}
679 }
680
681 int fnmatch(const char *pattern, const char *string, int flags);
682 void testFnmatch(const char *pattern, int flags) {
683 char string[10];
684 scanf("%9s", string);
685
686 int result = fnmatch(pattern, string, flags);
687 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
688 }
689
690 void *memchr(const void *s, int c, size_t n);
691 void testMemchr(int c, size_t n) {
692 char buf[10];
693 scanf("%9s", buf);
694
695 char *result = memchr(buf, c, n);
696 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
697 }
698
699 void *memrchr(const void *s, int c, size_t n);
700 void testMemrchr(int c, size_t n) {
701 char buf[10];
702 scanf("%9s", buf);
703
704 char *result = memrchr(buf, c, n);
705 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
706 }
707
708 void *rawmemchr(const void *s, int c);
709 void testRawmemchr(int c) {
710 char buf[10];
711 scanf("%9s", buf);
712
713 char *result = rawmemchr(buf, c);
714 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
715 }
716
717 int mbtowc(wchar_t *pwc, const char *s, size_t n);
718 void testMbtowc(wchar_t *pwc, size_t n) {
719 char buf[10];
720 scanf("%9s", buf);
721
722 int result = mbtowc(pwc, buf, n);
723 clang_analyzer_isTainted_char(*pwc); // expected-warning {{YES}}
724 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
725 }
726
727 int wctomb(char *s, wchar_t wc);
728 void testWctomb(char *buf) {
729 wchar_t wc = getchar();
730
731 int result = wctomb(buf, wc);
732 clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}}
733 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
734 }
735
736 int wcwidth(wchar_t c);
737 void testWcwidth() {
738 wchar_t wc = getchar();
739
740 int width = wcwidth(wc);
741 clang_analyzer_isTainted_int(width); // expected-warning {{YES}}
742 }
743
744 int memcmp(const void *s1, const void *s2, size_t n);
745 void testMemcmpWithLHSTainted(size_t n, char *rhs) {
746 char lhs[10];
747 scanf("%9s", lhs);
748
749 int cmp_result = memcmp(lhs, rhs, n);
750 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
751 }
752
753 void testMemcmpWithRHSTainted(size_t n, char *lhs) {
754 char rhs[10];
755 scanf("%9s", rhs);
756
757 int cmp_result = memcmp(lhs, rhs, n);
758 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
759 }
760
761 void *memcpy(void *restrict dest, const void *restrict src, size_t n);
762 void testMemcpy(char *dst, size_t n) {
763 char src[10];
764 scanf("%9s", src);
765
766 char *result = memcpy(dst, src, n);
767
768 clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}}
769 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
770 }
771
772 void *memmove(void *dest, const void *src, size_t n);
773 void testMemmove(char *dst, size_t n) {
774 char src[10];
775 scanf("%9s", src);
776
777 char *result = memmove(dst, src, n);
778
779 clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}}
780 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
781 }
782
783 void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen);
784 void testMemmem(const void *needle, size_t needlelen) {
785 char haystack[10];
786 scanf("%9s", haystack);
787
788 char *result = memmem(haystack, 9, needle, needlelen);
789 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
790 }
791
792 char *strstr(const char *haystack, const char *needle);
793 void testStrstr(const char *needle) {
794 char haystack[10];
795 scanf("%9s", haystack);
796
797 char *result = strstr(haystack, needle);
798 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
799 }
800
801 char *strcasestr(const char *haystack, const char *needle);
802 void testStrcasestr(const char *needle) {
803 char haystack[10];
804 scanf("%9s", haystack);
805
806 char *result = strcasestr(haystack, needle);
807 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
808 }
809
810 char *strchrnul(const char *s, int c);
811 void testStrchrnul() {
812 char s[10];
813 scanf("%9s", s);
814
815 char *result = strchrnul(s, 9);
816 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
817 }
818
819 char *index(const char *s, int c);
820 void testIndex() {
821 char s[10];
822 scanf("%9s", s);
823
824 char *result = index(s, 9);
825 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
826 }
827
828 char *rindex(const char *s, int c);
829 void testRindex() {
830 char s[10];
831 scanf("%9s", s);
832
833 char *result = rindex(s, 9);
834 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
835 }
836
837 int strcmp(const char *s1, const char *s2);
838 void testStrcmpWithLHSTainted(char *rhs) {
839 char lhs[10];
840 scanf("%9s", lhs);
841
842 int cmp_result = strcmp(lhs, rhs);
843 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
844 }
845
846 void testStrcmpWithRHSTainted(char *lhs) {
847 char rhs[10];
848 scanf("%9s", rhs);
849
850 int cmp_result = strcmp(lhs, rhs);
851 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
852 }
853 int strcasecmp(const char *s1, const char *s2);
854 void testStrcasecmpWithLHSTainted(char *rhs) {
855 char lhs[10];
856 scanf("%9s", lhs);
857
858 int cmp_result = strcasecmp(lhs, rhs);
859 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
860 }
861
862 void testStrcasecmpWithRHSTainted(char *lhs) {
863 char rhs[10];
864 scanf("%9s", rhs);
865
866 int cmp_result = strcasecmp(lhs, rhs);
867 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
868 }
869 int strncmp(const char *s1, const char *s2, size_t n);
870 void testStrncmpWithLHSTainted(char *rhs, size_t n) {
871 char lhs[10];
872 scanf("%9s", lhs);
873
874 int cmp_result = strncmp(lhs, rhs, n);
875 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
876 }
877
878 void testStrncmpWithRHSTainted(char *lhs, size_t n) {
879 char rhs[10];
880 scanf("%9s", rhs);
881
882 int cmp_result = strncmp(lhs, rhs, n);
883 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
884 }
885
886 void testStrncmpWithNTainted(char *lhs, char *rhs) {
887 int n;
888 scanf("%d", &n);
889
890 int cmp_result = strncmp(lhs, rhs, n);
891 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
892 }
893
894 int strncasecmp(const char *s1, const char *s2, size_t n);
895 void testStrncasecmpWithLHSTainted(char *rhs, size_t n) {
896 char lhs[10];
897 scanf("%9s", lhs);
898
899 int cmp_result = strncmp(lhs, rhs, n);
900 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
901 }
902
903 void testStrncasecmpWithRHSTainted(char *lhs, size_t n) {
904 char rhs[10];
905 scanf("%9s", rhs);
906
907 int cmp_result = strncmp(lhs, rhs, n);
908 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
909 }
910
911 void testStrncasecmpWithNTainted(char *lhs, char *rhs) {
912 int n;
913 scanf("%d", &n);
914
915 int cmp_result = strncmp(lhs, rhs, n);
916 clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}}
917 }
918
919 size_t strspn(const char *s, const char *accept);
920 void testStrspnFirstArgTainted(const char *accept) {
921 char s[10];
922 scanf("%9s", s);
923
924 size_t result = strspn(s, accept);
925 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
926 }
927
928 void testStrspnSecondArgTainted(const char *s) {
929 char accept[10];
930 scanf("%9s", accept);
931
932 size_t result = strspn(s, accept);
933 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
934 }
935
936 size_t strcspn(const char *s, const char *reject);
937 void testStrcspnFirstArgTainted(const char *reject) {
938 char s[10];
939 scanf("%9s", s);
940
941 size_t result = strcspn(s, reject);
942 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
943 }
944
945 void testStrcspnSecondArgTainted(const char *s) {
946 char reject[10];
947 scanf("%9s", reject);
948
949 size_t result = strcspn(s, reject);
950 clang_analyzer_isTainted_int(result); // expected-warning {{YES}}
951 }
952
953 char *strpbrk(const char *s, const char *accept);
954 void testStrpbrk(const char *accept) {
955 char s[10];
956 scanf("%9s", s);
957
958 char *result = strpbrk(s, accept);
959 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
960 }
961
962 char *strndup(const char *s, size_t n);
963 void testStrndup(size_t n) {
964 char s[10];
965 scanf("%9s", s);
966
967 char *result = strndup(s, n);
968 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
969 }
970
971 char *strdupa(const char *s);
972 void testStrdupa() {
973 char s[10];
974 scanf("%9s", s);
975
976 char *result = strdupa(s);
977 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
978 }
979
980 char *strndupa(const char *s, size_t n);
981 void testStrndupa(size_t n) {
982 char s[10];
983 scanf("%9s", s);
984
985 char *result = strndupa(s, n);
986 clang_analyzer_isTainted_charp(result); // expected-warning {{YES}}
987 }
988
989 size_t strlen(const char *s);
990 void testStrlen_dont_propagate() {
991 // strlen, wcslen, strnlen and alike intentionally don't propagate taint.
992 // See the details here: https://github.com/llvm/llvm-project/pull/66086
993 // This isn't ideal, but this is only what we have now.
994 char s[10];
995 scanf("%9s", s);
996
997 size_t result = strlen(s);
998 // strlen propagating taint would bring in many false positives
999 clang_analyzer_isTainted_int(result); // expected-warning {{NO}}
1000 }
1001
1002 size_t strnlen(const char *s, size_t maxlen);
1003 void testStrnlen_dont_propagate(size_t maxlen) {
1004 // strlen, wcslen, strnlen and alike intentionally don't propagate taint.
1005 // See the details here: https://github.com/llvm/llvm-project/pull/66086
1006 // This isn't ideal, but this is only what we have now.
1007 char s[10];
1008 scanf("%9s", s);
1009 size_t result = strnlen(s, maxlen);
1010 clang_analyzer_isTainted_int(result); // expected-warning {{NO}}
1011 }
1012
1013 long strtol(const char *restrict nptr, char **restrict endptr, int base);
1014 long long strtoll(const char *restrict nptr, char **restrict endptr, int base);
1015 unsigned long int strtoul(const char *nptr, char **endptr, int base);
1016 unsigned long long int strtoull(const char *nptr, char **endptr, int base);
1017 void testStrtolVariants(char **restrict endptr, int base) {
1018 char s[10];
1019 scanf("%9s", s);
1020
1021 long result_l = strtol(s, endptr, base);
1022 clang_analyzer_isTainted_int(result_l); // expected-warning {{YES}}
1023
1024 long long result_ll = strtoll(s, endptr, base);
1025 clang_analyzer_isTainted_int(result_ll); // expected-warning {{YES}}
1026
1027 unsigned long result_ul = strtoul(s, endptr, base);
1028 clang_analyzer_isTainted_int(result_ul); // expected-warning {{YES}}
1029
1030 unsigned long long result_ull = strtoull(s, endptr, base);
1031 clang_analyzer_isTainted_int(result_ull); // expected-warning {{YES}}
1032 }
1033
1034 int isalnum(int c);
1035 int isalpha(int c);
1036 int isascii(int c);
1037 int isblank(int c);
1038 int iscntrl(int c);
1039 int isdigit(int c);
1040 int isgraph(int c);
1041 int islower(int c);
1042 int isprint(int c);
1043 int ispunct(int c);
1044 int isspace(int c);
1045 int isupper(int c);
1046 int isxdigit(int c);
1047
1048 void testIsFunctions() {
1049 char c;
1050 scanf("%c", &c);
1051
1052 int alnum = isalnum(c);
1053 clang_analyzer_isTainted_int(alnum); // expected-warning {{YES}}
1054
1055 int alpha = isalpha(c);
1056 clang_analyzer_isTainted_int(alpha); // expected-warning {{YES}}
1057
1058 int ascii = isascii(c);
1059 clang_analyzer_isTainted_int(ascii); // expected-warning {{YES}}
1060
1061 int blank = isblank(c);
1062 clang_analyzer_isTainted_int(blank); // expected-warning {{YES}}
1063
1064 int cntrl = iscntrl(c);
1065 clang_analyzer_isTainted_int(cntrl); // expected-warning {{YES}}
1066
1067 int digit = isdigit(c);
1068 clang_analyzer_isTainted_int(digit); // expected-warning {{YES}}
1069
1070 int graph = isgraph(c);
1071 clang_analyzer_isTainted_int(graph); // expected-warning {{YES}}
1072
1073 int lower = islower(c);
1074 clang_analyzer_isTainted_int(lower); // expected-warning {{YES}}
1075
1076 int print = isprint(c);
1077 clang_analyzer_isTainted_int(print); // expected-warning {{YES}}
1078
1079 int punct = ispunct(c);
1080 clang_analyzer_isTainted_int(punct); // expected-warning {{YES}}
1081
1082 int space = isspace(c);
1083 clang_analyzer_isTainted_int(space); // expected-warning {{YES}}
1084
1085 int upper = isupper(c);
1086 clang_analyzer_isTainted_int(upper); // expected-warning {{YES}}
1087
1088 int xdigit = isxdigit(c);
1089 clang_analyzer_isTainted_int(xdigit); // expected-warning {{YES}}
1090 }
1091
1092 void qsort(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *));
1093 void qsort_r(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *, void *), void *arg);
1094 void testQsort() {
1095 int data[1];
1096 scanf("%d", data);
1097
1098 qsort(data, sizeof(data), sizeof(data[0]), NULL);
1099 clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}}
1100 qsort_r(data, sizeof(data), sizeof(data[0]), NULL, NULL);
1101 clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}}
1102 }
1103
1104 // Test configuration
1105 int mySource1(void);
1106 void mySource2(int*);
1107 void myScanf(const char*, ...);
1108 int myPropagator(int, int*);
1109 int mySnprintf(char*, size_t, const char*, ...);
1110 bool isOutOfRange(const int*); // const filter function
1111 void sanitizeCmd(char*); // non-const filter function
1112 void mySink(int, int, int);
1113
1114 void testConfigurationSources1(void) {
1115 int x = mySource1();
1116 Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
1117 }
1118
1119 void testConfigurationSources2(void) {
1120 int x;
1121 mySource2(&x);
1122 Buffer[x] = 1; // expected-warning {{Out of bound memory access }}
1123 }
1124
1125 void testConfigurationSources3(void) {
1126 int x, y;
1127 myScanf("%d %d", &x, &y);
1128 Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
1129 }
1130
1131 void testConfigurationPropagation(void) {
1132 int x = mySource1();
1133 int y;
1134 myPropagator(x, &y);
1135 Buffer[y] = 1; // expected-warning {{Out of bound memory access }}
1136 }
1137
1138 void testConfigurationFilter(void) {
1139 int x = mySource1();
1140 if (isOutOfRange(&x)) // the filter function
1141 return;
1142 Buffer[x] = 1; // no-warning
1143 }
1144
1145 void testConfigurationFilterNonConst(void) {
1146 char buffer[1000];
1147 myScanf("%s", buffer); // makes buffer tainted
1148 system(buffer); // expected-warning {{Untrusted data is passed to a system call}}
1149 }
1150
1151 void testConfigurationFilterNonConst2(void) {
1152 char buffer[1000];
1153 myScanf("%s", buffer); // makes buffer tainted
1154 sanitizeCmd(buffer); // removes taintedness
1155 system(buffer); // no-warning
1156 }
1157
1158 void testConfigurationSinks(void) {
1159 int x = mySource1();
1160 mySink(x, 1, 2);
1161 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
1162 mySink(1, x, 2); // no-warning
1163 mySink(1, 2, x);
1164 // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}}
1165 }
1166
1167 int test_exec_like_functions() {
1168 char buf[100] = {0};
1169 scanf("%99s", buf);
1170 clang_analyzer_isTainted_char(buf[0]); // expected-warning {{YES}}
1171
1172 char *cleanArray[] = {"ENV1=V1", "ENV2=V2", NULL};
1173 char *taintedArray[] = {buf, "ENV2=V2", NULL};
1174 clang_analyzer_isTainted_char(taintedArray[0][0]); // expected-warning {{YES}}
1175 clang_analyzer_isTainted_char(*(char*)taintedArray[0]); // expected-warning {{YES}}
1176 clang_analyzer_isTainted_char(*(char*)taintedArray); // expected-warning {{NO}} We should have YES here.
1177 // FIXME: Above the triple pointer indirection will confuse the checker,
1178 // as we only check two levels. The results would be worse, if the tainted
1179 // subobject ("buf") would not be at the beginning of the enclosing object,
1180 // for the same reason.
1181
1182 switch (coin()) {
1183 default: break;
1184 // Execute `path` with all arguments after `path` until a NULL pointer
1185 // and environment from `environ'.
1186 case 0: return execl("path", "arg0", "arg1", "arg2", NULL); // no-warning
1187 case 1: return execl(buf, "arg0", "arg1", "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}}
1188 case 2: return execl("path", buf, "arg1", "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}}
1189 case 3: return execl("path", "arg0", buf, "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}}
1190 case 4: return execl("path", "arg0", "arg1", buf, NULL); // expected-warning {{Untrusted data is passed to a system call}}
1191 }
1192
1193 switch (coin()) {
1194 default: break;
1195 // Execute `path` with all arguments after `PATH` until a NULL pointer,
1196 // and the argument after that for environment.
1197 case 0: return execle("path", "arg0", "arg1", NULL, cleanArray); // no-warning
1198 case 1: return execle( buf, "arg0", "arg1", NULL, cleanArray); // expected-warning {{Untrusted data is passed to a system call}}
1199 case 2: return execle("path", buf, "arg1", NULL, cleanArray); // expected-warning {{Untrusted data is passed to a system call}}
1200 case 3: return execle("path", "arg0", buf, NULL, cleanArray); // expected-warning {{Untrusted data is passed to a system call}}
1201 case 4: return execle("path", "arg0", "arg1", NULL, buf); // expected-warning {{Untrusted data is passed to a system call}}
1202 case 5: return execle("path", "arg0", "arg1", NULL, taintedArray); // FIXME: We might wanna have a report here.
1203 }
1204
1205 switch (coin()) {
1206 default: break;
1207 // Execute `file`, searching in the `PATH' environment variable if it
1208 // contains no slashes, with all arguments after `file` until a NULL
1209 // pointer and environment from `environ'.
1210 case 0: return execlp("file", "arg0", "arg1", "arg2", NULL); // no-warning
1211 case 1: return execlp( buf, "arg0", "arg1", "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}}
1212 case 2: return execlp("file", buf, "arg1", "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}}
1213 case 3: return execlp("file", "arg0", buf, "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}}
1214 case 4: return execlp("file", "arg0", "arg1", buf, NULL); // expected-warning {{Untrusted data is passed to a system call}}
1215 }
1216
1217 switch (coin()) {
1218 default: break;
1219 // Execute `path` with arguments `ARGV` and environment from `environ'.
1220 case 0: return execv("path", /*argv=*/ cleanArray); // no-warning
1221 case 1: return execv( buf, /*argv=*/ cleanArray); // expected-warning {{Untrusted data is passed to a system call}}
1222 case 2: return execv("path", /*argv=*/taintedArray); // FIXME: We might wanna have a report here.
1223 }
1224
1225 switch (coin()) {
1226 default: break;
1227 // Replace the current process, executing `path` with arguments `ARGV`
1228 // and environment `ENVP`. `ARGV` and `ENVP` are terminated by NULL pointers.
1229 case 0: return execve("path", /*argv=*/ cleanArray, /*envp=*/cleanArray); // no-warning
1230 case 1: return execve( buf, /*argv=*/ cleanArray, /*envp=*/cleanArray); // expected-warning {{Untrusted data is passed to a system call}}
1231 case 2: return execve("path", /*argv=*/taintedArray, /*envp=*/cleanArray); // FIXME: We might wanna have a report here.
1232 case 3: return execve("path", /*argv=*/cleanArray, /*envp=*/taintedArray); // FIXME: We might wanna have a report here.
1233 }
1234
1235 switch (coin()) {
1236 default: break;
1237 // Execute `file`, searching in the `PATH' environment variable if it
1238 // contains no slashes, with arguments `ARGV` and environment from `environ'.
1239 case 0: return execvp("file", /*argv=*/ cleanArray); // no-warning
1240 case 1: return execvp( buf, /*argv=*/ cleanArray); // expected-warning {{Untrusted data is passed to a system call}}
1241 case 2: return execvp("file", /*argv=*/taintedArray); // FIXME: We might wanna have a report here.
1242 }
1243
1244 // execvpe
1245 switch (coin()) {
1246 default: break;
1247 // Execute `file`, searching in the `PATH' environment variable if it
1248 // contains no slashes, with arguments `ARGV` and environment `ENVP`.
1249 // `ARGV` and `ENVP` are terminated by NULL pointers.
1250 case 0: return execvpe("file", /*argv=*/ cleanArray, /*envp=*/ cleanArray); // no-warning
1251 case 1: return execvpe( buf, /*argv=*/ cleanArray, /*envp=*/ cleanArray); // expected-warning {{Untrusted data is passed to a system call}}
1252 case 2: return execvpe("file", /*argv=*/taintedArray, /*envp=*/ cleanArray); // FIXME: We might wanna have a report here.
1253 case 3: return execvpe("file", /*argv=*/ cleanArray, /*envp=*/taintedArray); // FIXME: We might wanna have a report here.
1254 }
1255
1256 int cleanFD = coin();
1257 int taintedFD;
1258 scanf("%d", &taintedFD);
1259 clang_analyzer_isTainted_int(taintedFD); // expected-warning {{YES}}
1260
1261 switch (coin()) {
1262 default: break;
1263 // Execute the file `FD` refers to, overlaying the running program image.
1264 // `ARGV` and `ENVP` are passed to the new program, as for `execve'.
1265 case 0: return fexecve( cleanFD, /*argv=*/ cleanArray, /*envp=*/ cleanArray); // no-warning
1266 case 1: return fexecve(taintedFD, /*argv=*/ cleanArray, /*envp=*/ cleanArray); // expected-warning {{Untrusted data is passed to a system call}}
1267 case 2: return fexecve( cleanFD, /*argv=*/taintedArray, /*envp=*/ cleanArray); // FIXME: We might wanna have a report here.
1268 case 3: return fexecve( cleanFD, /*argv=*/ cleanArray, /*envp=*/taintedArray); // FIXME: We might wanna have a report here.
1269 }
1270
1271 switch (coin()) {
1272 default: break;
1273 // Create a new stream connected to a pipe running the given `command`.
1274 case 0: return pclose(popen("command", /*mode=*/"r")); // no-warning
1275 case 1: return pclose(popen( buf, /*mode=*/"r")); // expected-warning {{Untrusted data is passed to a system call}}
1276 case 2: return pclose(popen("command", /*mode=*/buf)); // 'mode' is not a taint sink.
1277 }
1278
1279 switch (coin()) {
1280 default: break;
1281 // Execute the given line as a shell command.
1282 case 0: return system("command"); // no-warning
1283 case 1: return system( buf); // expected-warning {{Untrusted data is passed to a system call}}
1284 }
1285
1286 return 0;
1287 }
1288
1289 void testUnknownFunction(void (*foo)(void)) {
1290 foo(); // no-crash
1291 }
1292
1293 void testProctitleFalseNegative(void) {
1294 char flag[80];
1295 fscanf(stdin, "%79s", flag);
1296 char *argv[] = {"myapp", flag};
1297 // FIXME: We should have a warning below: Untrusted data passed to sink.
1298 setproctitle_init(1, argv, 0);
1299 }
1300
1301 void testProctitle2(char *real_argv[]) {
1302 char *app = getenv("APP_NAME");
1303 if (!app)
1304 return;
1305 char *argv[] = {app, "--foobar"};
1306 setproctitle_init(1, argv, 0); // expected-warning {{Untrusted data is passed to a user-defined sink}}
1307 setproctitle_init(1, real_argv, argv); // expected-warning {{Untrusted data is passed to a user-defined sink}}
1308 }
1309
1310 void testAcceptPropagates() {
1311 int listenSocket = socket(2, 1, 6);
1312 clang_analyzer_isTainted_int(listenSocket); // expected-warning {{YES}}
1313 int acceptSocket = accept(listenSocket, 0, 0);
1314 clang_analyzer_isTainted_int(acceptSocket); // expected-warning {{YES}}
1315 }
LLVM monorepo